Dynamic Zone File Audit Logs in BIND 9
  • 21 Jan 2019
  • 1 Minute to read
  • Contributors
  • Dark
    Light
  • PDF

Dynamic Zone File Audit Logs in BIND 9

  • Dark
    Light
  • PDF

Article Summary

Is it possible to enable the audit logs on BIND so we can track changes performed at the DNS records level (Add/Delete/Modify A,MX,NS, records)?

You can get that by default, depending on how the changes were performed.

If you use nsupdate or some other dynamic DNS UPDATE client, named will log changes like this:

08-Jan-2019 11:55:09.826 update: info:
	client @0x55b747f47ec0 ::1#5685/key local-ddns:
	updating zone 'private.cam.ac.uk/IN':
	adding an RR at 'private.cam.ac.uk' SOA primary.dns.cam.ac.uk. hostmaster.cam.ac.uk. 1546948509 1800 900 604800 3600
08-Jan-2019 11:55:09.826 update: info:
	client @0x55b747f47ec0 ::1#5685/key local-ddns:
	updating zone 'private.cam.ac.uk/IN':
	adding an RR at 'QQQQ.lcil.private.cam.ac.uk' A 172.22.QQ.QQ

The changes are also recorded in the zone's journal, which you can extract this way:

$ named-journalprint /home/named/zone/private.cam.ac.uk.jnl
[...]
del private.cam.ac.uk.  3600    IN      SOA     primary.dns.cam.ac.uk. hostmaster.cam.ac.uk. 1546944908 1800 900 604800 3600
add private.cam.ac.uk.  3600    IN      SOA     primary.dns.cam.ac.uk. hostmaster.cam.ac.uk. 1546948509 1800 900 604800 3600
add QQQQ.lcil.private.cam.ac.uk. 3600 IN        A       172.22.QQ.QQ

You may want to use the ixfr-from-differences and max-journal-size options if you care about preserving journal contents.

If you are not using the 'dynamic zone' model, but are updating static zone files, the best approach is to use a version control system (CVS, git) to provide version control on the files.

Note: this article is based on advice posted on bind-users@lists.isc.org by Tony Finch.